I've been scouring the internet on various occasions for quite a while now trying to figure all of this stuff out. I'm creating a web app where I have users submit JavaScript that they have written to a database, and that JavaScript is then served up and run on the browsers of other users. Obviously the user-submitted JavaScript has the potential to be dangerous. To secure it I run it through Caja, which I know does a lot of fancy stuff including potentially rewriting the code. It is a lot of overhead that I wish could be simpler, but Caja is the best that I've been able to find for me to easily secure my code. I've also heard of SES, and I'm confused. There seems to be no source that explains this well.

Hi Jordan, glad to hear that Caja and SES and useful to you. To give a clearer answer, I'm going to introduce some further terminology and distinctions.

Caja is the package securing both the browser DOM API (together with html and css) as well as JavaScript. The portion dealing with JavaScript has gone through two recent major versions:

* ES5/3 is a server-side translator from approximately the SES subset of

ES5 (EcmaScript 5) to ES3 that was necessary for old browsers.

* SES is a pure client-side securing of JavaScript that be used on ES5

compatible browsers, which now includes all browsers in use today

except for IE9 (if you care about that).

The portion dealing with the DOM API (together with html and css) is Domado. Domado has been carefully refactored to work with both ES5/3 and SES.

So "old" Caja is ES5/3 + Domado.

"new" Caja is SES + Domado.

If you are interested in running JavaScript in a confined manner, but do not need to give it access to the DOM API or other APIs specific to the browser, then you don't need Domado.

From what I've been able to gather, SES is what is produced after running initSES.js on some JavaScript code?

Yes.

Apparently the initSES.js process is much simpler than the Cajoling process, because ES5 strict mode code is much easier to secure.

Yes.

So, is there an official version of initSES.js that I can run on ES5 Strict Mode code that will make it completely secure?

After building Caja, you will find an initSES.js in ant-lib/com/google/caja/ses/initSES.js . For reference, I attach the one I just built, but you should endeavor to rebuild it yourself so you can stay up to date.

During the entire history of the project, no vulnerability in Caja has ever led to any known actual compromise of any site it has protected.

Is anyone using SES code out in the wild? Some clarification would be nice.

Not much. ES7 will introduce a Realm and Loader API, providing more direct support for object-capability security within the JavaScript language. We expect that the direct support and increase in convenience will lead to better adoption.

If the above was confusing, then to put things more simply and to summarize:

I would like to know if I can run user-submitted ES5 Strict Mode code through initSES.js and produce SES code, without the use of Caja.

Yes, absolutely!

Any clarification will be greatly appreciated, thanks!

You are very welcome. Please let us know more about what you're up to if you can. Thanks!

Ken Hamer Hodges

About Me

Independent Consultant in South Florida for all things related to secure cloud based software and new mobile communication software. Graduated in the UK, developed the first Capability Based Computers (PP-250), became a Charted Engineer and awarded a Fellowship of the IEE (London). Partnered on a dozen patents developing Object Engineering fundamentals while working in UK, USA, Germany and Belgium. Invitation speaker at conferences on Operating Systems and Communications.